Privilege escalation - what is best practice?

Hi all,

I am running my playbooks as user ansible (which has sudo rights) for instance but often need to escalate privileges. This can be done in multiple ways:

  1. specify per task: become=true
  2. specify for the entire playbook at the beginning: become=true
  3. specify for the entire host via the inventory file: ansible_become=true

Can someone shine some light on this topic about what is best practice here? It is a machine that has to install multiple roles and needs to escalate privilege often, but not always. Thanks in advance!

Hey Listing,

i would say you should use the become method only if necessary. If the the whole play needs it, set it at playbook- level. If one role needs it (all tasks of it), set it at role- level. If only some tasks need it, set it on task- level.
You don’t want to be the guy/girl who deletes a database or overwrites an important file as root. On 100 Servers.

Less is more!